From actionista
Creates, debugs, and optimizes GitHub Actions workflow YAML files. Recommends current action versions with SHA pinning from a daily-updated index of 260+ actions. Configures matrix builds, dependency caching, reusable workflows, OIDC authentication, secrets management, and runner selection. Includes a workflow-analyzer agent for reviewing existing workflows. Use when the user asks about GitHub Actions, workflows, CI/CD, .github/workflows, any action by name (actions/checkout, setup-node, setup-python, etc.), or workflow analysis.
npx claudepluginhub claylo/claylo-marketplace --plugin actionistaThis skill uses the workspace's default tool permissions.
<SUBAGENT-STOP>
actions-index.jsonagents/workflow-analyzer.mdexamples/ci-node.yamlexamples/ci-rust.yamlexamples/deploy-aws.yamlexamples/release-please.yamlreferences/expressions.mdreferences/github-action.schema.jsonreferences/patterns-artifacts.mdreferences/patterns-caching.mdreferences/patterns-composite-actions.mdreferences/patterns-concurrency.mdreferences/patterns-environments.mdreferences/patterns-matrix-builds.mdreferences/patterns-reusable-workflows.mdreferences/permissions.mdreferences/runners.mdreferences/security-hardening.mdreferences/security-secrets.mdreferences/security-supply-chain.mdImplements Playwright E2E testing patterns: Page Object Model, test organization, configuration, reporters, artifacts, and CI/CD integration for stable suites.
Guides Next.js 16+ Turbopack for faster dev via incremental bundling, FS caching, and HMR; covers webpack comparison, bundle analysis, and production builds.
Discovers and evaluates Laravel packages via LaraPlugins.io MCP. Searches by keyword/feature, filters by health score, Laravel/PHP compatibility; fetches details, metrics, and version history.
Comprehensive knowledge for creating, debugging, and optimizing GitHub Actions workflows with current action versions and best practices.
This skill includes specialized agents in the agents/ directory.
| Agent | When to Use |
|---|---|
workflow-analyzer | Any request to review, check, audit, optimize, or analyze existing workflow files |
When a user requests workflow analysis, review, or optimization of existing workflows, ALWAYS dispatch the workflow-analyzer agent. Do not perform the analysis inline.
This skill (SKILL.md) handles workflow creation and reference. The agent handles workflow review.
!command -v actionlint 2>/dev/null && echo "actionlint: installed" || echo "actionlint: not installed"
!command -v act 2>/dev/null && echo "act: installed" || echo "act: not installed"
If either tool is missing, suggest the user install them:
brew install actionlint — workflow linter that catches syntax errors, type mismatches, and expression problems offlinebrew install act — runs workflows locally in Docker without pushingConsult actions-index.json in this skill directory for current versions of 264 popular actions. The index is updated daily and organized by category.
Do not read the entire file. Use jq to query only what you need.
The index has a top-level _metadata object and an actions object keyed by action name (e.g., actions/checkout).
Each action entry has these fields:
| Field | Always Present | Description |
|---|---|---|
latest | ✓ | Latest major version tag (e.g., v6) |
latestFull | ✓ | Full semver version (e.g., v6.0.2) |
sha | ✓ | Commit SHA for the latest release — use this for SHA pinning |
description | ✓ | Short description of the action |
category | ✓ | One of: core, setup-languages, build-tools, testing, linting, release, security, docker, cloud-aws, cloud-azure, cloud-gcp, infrastructure, kubernetes, notifications, git-operations, package-managers, documentation, mobile, ai-assistants, utilities |
inputs | mostly | Array of accepted input names |
deprecated | sometimes | Array of deprecated major versions |
migrations | sometimes | Breaking changes between major versions, including added/removed inputs |
Get SHA pin + version comment for an action:
jq -r '.actions["actions/cache"] | "- uses: actions/cache@\(.sha) # \(.latestFull)"' actions-index.json
# Output: - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
Get latest version of an action:
jq -r '.actions["actions/checkout"].latestFull' actions-index.json
List all actions in a category:
jq -r '[.actions | to_entries[] | select(.value.category == "setup-languages")] | sort_by(.key) | .[] | "\(.key) \(.value.latestFull)"' actions-index.json
Check if a version is deprecated:
jq '.actions["actions/checkout"].deprecated // []' actions-index.json
Get migration notes between versions:
jq '.actions["8398a7/action-slack"].migrations' actions-index.json
Always verify versions before recommending — use the index or fetch from GitHub releases if needed.
| Pattern | When to Use | Reference |
|---|---|---|
| Matrix builds | Test across versions/platforms | references/patterns-matrix-builds.md |
| Caching | Speed up dependency installation | references/patterns-caching.md |
| Artifacts | Share files between jobs | references/patterns-artifacts.md |
| Reusable workflows | Share workflows across repos | references/patterns-reusable-workflows.md |
| Concurrency | Prevent duplicate runs | references/patterns-concurrency.md |
| Environments | Deployment gates/approvals | references/patterns-environments.md |
| Composite actions | Create custom actions | references/patterns-composite-actions.md |
| Topic | Key Points | Reference |
|---|---|---|
| Secrets | Never hardcode, use OIDC when possible | references/security-secrets.md |
| Permissions | Principle of least privilege | references/security-hardening.md |
| Supply chain | Pin actions, review dependencies | references/security-supply-chain.md |
Every workflow should include these often-missed fields:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 30
Full JSON Schema for workflow validation: references/github-action.schema.json
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22'
cache: 'npm'
For custom caching, see references/patterns-caching.md.
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node: [18, 20, 22]
exclude:
- os: windows-latest
node: 18
include:
- os: ubuntu-latest
node: 20
coverage: true
jobs:
build:
runs-on: ubuntu-latest
steps: [...]
test:
needs: build
runs-on: ubuntu-latest
steps: [...]
deploy:
needs: [build, test]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps: [...]
For conditional execution patterns (if:, always(), failure()), trigger event configuration, and expression syntax, see references/triggers.md and references/expressions.md.
permissions:
contents: read
jobs:
build:
permissions:
contents: read
deploy:
permissions:
contents: read
id-token: write
packages: write
NEVER fabricate a SHA. The actions-index.json file is right here in this skill directory with the correct full 40-character SHA for every tracked action. Use jq to read it. There is no excuse for generating, guessing, or completing a partial SHA from memory — LLMs will confidently produce hex strings that look correct but point at nonexistent commits. A fabricated SHA defeats the entire purpose of pinning and is a security-critical failure. Always read the real SHA from the index.
# Good: Pin to full SHA (read from actions-index.json)
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Acceptable: Pin to major version
- uses: actions/checkout@v6
# Bad: Unpinned or floating
- uses: actions/checkout@main
- uses: actions/checkout
Prefer OIDC over long-lived credentials. See references/security-secrets.md for setup guides for AWS, GCP, and Azure.
Before pushing workflow changes, verify correctness:
Lint with actionlint — catches syntax errors, type mismatches, and expression problems that YAML parsers miss:
actionlint .github/workflows/*.yml
Test locally with act — runs workflows in Docker without pushing:
act push --job build
act pull_request -e event.json
Check workflow run logs — after pushing, verify in the Actions tab:
cache hit: true)Validate secrets access — workflows fail silently when secrets are missing. Verify required secrets exist in repo/org settings before relying on them.
For workflow review, auditing, and optimization of existing workflows, dispatch the workflow-analyzer agent. See the Agents section above.
All reference files are in references/:
| File | Topic |
|---|---|
workflow-syntax.md | Complete workflow YAML reference |
expressions.md | Expression syntax, contexts, functions |
triggers.md | All event triggers with examples |
runners.md | Runner selection, self-hosted setup |
permissions.md | GITHUB_TOKEN scopes, OIDC setup |
troubleshooting.md | Common errors and solutions |
patterns-matrix-builds.md | Matrix strategies, include/exclude |
patterns-caching.md | Cache action, custom keys, restore strategies |
patterns-artifacts.md | Upload/download, retention, cross-job sharing |
patterns-reusable-workflows.md | workflow_call, inputs, secrets |
patterns-concurrency.md | Groups, cancel-in-progress |
patterns-environments.md | Deployment environments, protection rules |
patterns-composite-actions.md | Creating custom actions |
security-secrets.md | Management, rotation, OIDC setup |
security-hardening.md | Permissions, pinning, CodeQL |
security-supply-chain.md | Dependency review, Dependabot |
Working templates in examples/: ci-node.yaml, ci-rust.yaml, deploy-aws.yaml, release-please.yaml
actions-index.json — Current versions of 260+ popular actions (updated daily)tracked-actions.yaml — List of tracked actions by category